Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
3
Helpful
7
Replies

VPN Client for Public Internet VPN (non-split) assistance

egua5261
Level 1
Level 1

‎05-08-2008 10:54 PM - edited ‎02-21-2020 03:43 PM

Hi There,

I'm hoping to receive some assistance with an issue I'm currently experiencing. It is related to a non-split VPN setup, the requirement is that VPN clients will be able to access a remote network and the internet via the firewall, in my case a ASA 5520, hence the public IP address for the vpn clients will be one assigned to our network by the ISP and no the vpn user's internet service public IP. I have followed the steps on this article but it is not working for me,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

I run clear xlate and clear local after the changes with no luck. Once connected I am unable to access the internet and the remote network from the vpn client. The secured routes that are shown under statistics in the vpn client are 0.0.0.0 0.0.0.0

I also tried the split VPN set up and that works fine. When connected I am able to reach the remote network and internet without a problem.

I noticed that under the non-split vpn set up, the VPN clients get assigned an IP and a gateway from the vpn local pool, which is not the case on the split-VPN setup, where the VPN clients get assigned only an IP and not a gateway.

The firewall as mentioned is an ASA 5520, Cisco Adaptive Security Appliance Software Version 8.0(3), Device Manager Version 6.0(3)

See attached the config related to the non-split vpn set up.

Regards,

Esteban

Labels:
Preview file
2 KB
0 Helpful
7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

‎05-09-2008 06:31 PM

config looks fine except!

In your statement, maybe a typo ?

your vpn network ip scheme

ip local pool vpn-pool-2 192.168.99.1-192.168.99.254 mask 255.255.255.0

your vpn network nat statement

nat (outside) 1 193.168.99.0 255.255.255.0

should'nt it be

nat (outside) 1 192.168.99.0 255.255.255.0

Jorge Rodriguez
0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to JORGE RODRIGUEZ

‎05-10-2008 08:58 AM

Esteban, just following up to see if your problem is resolved.

Once you correct nat (outside) statement to coinside with your vpn network you can place back Tunnel ALL firewall RA configuratiion and your VPN clients will be able to get outbound internet..

HTH

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

egua5261
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎05-11-2008 04:55 PM

Hi Jorge,

It was indeed a typo, however not in the running config of the firewall but in the draft one, (which was the one I had attached) I have re-checked and made sure the correct IP range is set in the vpn pool. I confirm I can connect, I get an IP such as 192.168.99.1 and gateway 192.168.99.2. I have tried in two different PCs, one running win XP and the other Win Vista. I'm still not having luck in any of these... Once connected I can't connect to the remote network neither to the internet. I have cleared xlate to make sure the translation information is refreshed but still not luck.

I currently have two different group policies, two tunnel groups, two different vpn pools, one set is used for split vpn, which works very well; the other one is the one for non-split vpn, the one I am having troubles with... would this be an issue?

Also would there be a problem having these two under the same configuration?

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Any more ideas on how to troubleshoot this further?

Best Regards,

Esteban

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to egua5261

‎05-12-2008 10:12 PM

Hmmmm, ok if you have the no-split tunnel group that does not work properly configured by the book it definatly is not making sence, do you have crypto isakmp nat-traversal 20 enabled in your firewall? as well as acl permitting that vpn pool network access to inside network.Also have you looked at logs when vpn client tries to access internet or connect to inside network.

Can you post an updated sanatized asa config.. strip out public IP information.

Jorge Rodriguez

egua5261
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎05-13-2008 11:41 PM

My mistake. I was trying to access websites via the domain name I have just found that by connecting with the VPN client by the non-split profile I can reach outside IPs, which all comes to a DNS issue as the DNS addresses assigned to the client connection are internal. I'm having problem accessing the internal network, which explains why domain names are not resolving. Most likely due to the ACL that you mentioned. I'm not sure if i will need the crypto isakmp nat-traversal 20, what is this one for?

Esteban

0 Helpful

egua5261
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎05-18-2008 07:29 PM

Jorge,

I have finally fixed it. I was missing an entry for the vpn-pool IP range on the nonat access list, (inside_vpn_nonat) acl, which exempts natting to that range from the networks behind the firewall.

Thanks for your help.

Esteban

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to egua5261

‎05-18-2008 08:35 PM

Esteban, I am glad you have fixed the problem and great you have posted how you resolved it.

Rgds

-Jorge

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents